My questions is then. How does it get into a secure network other than e-mail, when nop machines are taken in and out fo the network? It has to spread orignally through something other than TFTP...? Bruce Martins wrote: >Well this virus doesn't spread through e-mail so whether or not having >AV software on a mail server would not really matter in this case as it >exploits the same vulnerability that the original MSBLAST worm did, then >patches it, the real problem is that some people aren't heading the >warnings and patching their machines when a patch is released for a very >serious vulnerability like this one, same thing happened with the SQL >slammer worm, people had more then enough time to test and apply this >patch but didn't but hey just my 2 cents > > >Bruce Martins >Systems Administrator >EXTEND>>MEDIA >190 Liberty Street >Toronto, Ontario >Canada >M6K 3L5 >_______________________ >e:bmartinsat_private >t: (416) 535-4222 ext. 2307 >f: (416) 535-1201 >http://www.extend.com > > >-----Original Message----- >From: Logan Rogers-Follis - TNTNetworx.net [mailto:loganat_private] > >Sent: Tuesday, August 19, 2003 3:34 PM >To: Bruce Martins >Cc: Kevin Patz; incidentsat_private > >My company had this virus (an unprotected computer - now secured - let >it in), and within 10 min. it had sent 6MB worth of ICMP out of our >network and it was totally messing up our 1.5MB SDSL line and ruining >our VPN. I used the Norton tool and fix them all, but I do know this >thing is horrible (I just iwsh every company had a AV on there mail >server - that would help stop some of this). > >Logan > >Bruce Martins wrote: > > > >>As I think this has already been posted here that it would seem that >>this may be part of the new so called "good" worm if that in fact >>really is one, which seems to patch the machine once infected and >>removes any traces of the previous worm as well as itself on January 1, >> >> > > > >>2004, this does create a lot of traffic as it does search for other >>vulnerable machines, is this a good or bad thing ? Did the writer of >>this do it to help remove the infection and spread of the previous worm >> >> > > > >>or some other hidden agenda ? >> >>Mcafee link >>http://us.mcafee.com/virusInfo/default.asp?id=nachi >> >>Symantec Link >>http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.wor >>m >>.html >> >> >> >>Bruce Martins >>Systems Administrator >>EXTEND>>MEDIA >>190 Liberty Street >>Toronto, Ontario >>Canada >>M6K 3L5 >>_______________________ >>e:bmartinsat_private >>t: (416) 535-4222 ext. 2307 >>f: (416) 535-1201 >>http://www.extend.com >> >> >>-----Original Message----- >>From: Kevin Patz [mailto:jambo_catat_private] >>Sent: Monday, August 18, 2003 4:46 PM >>To: incidentsat_private >> >>In-Reply-To: <3F411CBC.2020203at_private> >> >>Upon reading of this, I enabled logging of ping >> >>requests on my firewall. So far I've only seen three >> >>with len=92: >> >> >> >>24.64.90.16 (Shaw Communcations) >> >>24.60.234.130 (Comcast, formerly attbi) >> >>24.61.246.103 (Comcast, formerly attbi) >> >> >> >>My IP is on Comcast, formerly attbi, on a 24.62 IP >> >>range. I also have some pings with len=60 but they >> >>look more like "normal" ICMP echo requests. >> >> >> >> >> >> >> >>>Ken, >>> >>> >>> >>> >> >> >> >> >>>We're seeing the same ICMP pattern. >>> >>> >>> >>> >> >> >> >> >>>Is this from the blaster? We are looking into >>> >>> >>> >>> >>filtering ICMP echo >> >> >> >> >> >>>request on our external routers. >>> >>> >>> >>> >> >> >> >> >> >> >> >>>Here is a snip from our IDS, >>> >>> >>> >>> >> >> >> >> >>>[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] >>> >>> >>> >>> >> >> >> >> >>>[Classification: Misc activity] [Priority: 3] >>> >>> >>> >>> >> >> >> >> >>>[Xref => http://www.whitehats.com/info/IDS154] >>> >>> >>> >>> >> >> >> >> >>>Event ID: 179333 Event Reference: 0 >>> >>> >>> >>> >> >> >> >> >>>08/18/03-18:27:28.386411 65.83.120.72 -> xx.xx.xx.xx >>> >>> >>> >>> >> >> >> >> >>>ICMP TTL:118 TOS:0x0 ID:21399 IpLen:20 DgmLen:92 >>> >>> >>> >>> >> >> >> >> >>>Type:8 Code:0 ID:2 Seq:61261 ECHO >>> >>> >>> >>> >> >> >> >> >>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA >>> >>> >>> >>> >>AA ................ >> >> >> >> >> >>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA >>> >>> >>> >>> >>AA ................ >> >> >> >> >> >>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA >>> >>> >>> >>> >>AA ................ >> >> >> >> >> >>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA >>> >>> >>> >>> >>AA ................ >> >> >> >> >> >> >> >> >> >> >> >>>Thanks >>> >>> >>> >>> >> >> >> >> >>>Daniel Williams >>> >>> >>> >>> >> >> >> >> >>>Cedar Document Technologies >>> >>> >>> >>> >>----------------------------------------------------------------------- >>- >>--- >>Captus Networks - Integrated Intrusion Prevention and Traffic Shaping >>- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans >>- Automatically Control P2P, IM and Spam Traffic >>- Ensure Reliable Performance of Mission Critical Applications >>- Precisely Define and Implement Network Security and Performance >>Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live >>Demo Visit us at: >>http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 >>----------------------------------------------------------------------- >>- >>---- >> >> >>----------------------------------------------------------------------- >>---- Captus Networks - Integrated Intrusion Prevention and Traffic >>Shaping >>- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans >>- Automatically Control P2P, IM and Spam Traffic >>- Ensure Reliable Performance of Mission Critical Applications >>- Precisely Define and Implement Network Security and Performance >>Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live >>Demo Visit us at: >>http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 >>----------------------------------------------------------------------- >>----- >> >> >> >> >> >> >> >> > > > > > > --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 21:14:45 PDT